b'Office of Inspector General\n\n\n\n\nBackground\nInvestigations\n\n      March 28, 2008\n Inspection Report No. 434\n\x0c                                                                                                          Page 2\n\n\n\n                                    Table of Contents\n\nExecutive Summary ................................................................................................... 2\n\nObjectives and Scope ................................................................................................... 3\n\nBackground.................................................................................................................. 4\n\nInspection Results ....................................................................................................... 5\n\n         Inadequate Operating Procedures ................................................................... 6\n         Lack of an Effective Case Management Tracking System ............................. 7\n         Insufficient Resources to Accommodate the Workload ................................... 9\n         Inadequate Workspace and Improper Storage of Files................................. 10\n         Ineffective Use of an E-Gov Initiative- e-QIP................................................ 10\n         Pilot Interim Clearance Process .................................................................... 11\n         Implementation Plan...................................................................................... 14\n         OMB Reporting ............................................................................................... 15\n\nOther Matter ............................................................................................................. 16\n\nAppendices\n     1. Management\xe2\x80\x99s Comments. ........................................................................ 18\n     2. List of Recommendations .......................................................................... 21\n\n\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                                 MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                                Page 3\n\n\n\n\n        BACKGROUND\n       INVESTIGATIONS\n____________________________\n                          EXECUTIVE SUMMARY\nThe Office of Inspector General of the Securities and Exchange Commission\nconducts regular audits and inspections of Agency operations to promote the\neffectiveness, integrity, and efficiency of the Commission. We conducted an\ninspection of the Commission\xe2\x80\x99s process for initiating background\ninvestigations and making suitability determinations for employees and\ncontractors.\nWe found that significant organizational issues are preventing the\nCommission from having an effective Personnel Security/Suitability Program\n(the Program). We recommend that the Commission (1) develop\ncomprehensive operating procedures, (2) create an information system to track\nwork processes, (3) evaluate and restructure staff resources, and (4) acquire\nappropriate work and storage space for the Program.\nWe also found that the Commission did not comply with key requirements of\nHomeland Security Presidential Directive (HSPD) 12, Policy for a Common\nIdentification Standard for Federal Employees and Contractors, Federal\nInformation Processing Standards (FIPS) Publication 201-1, and OMB\nguidance related to:\n    \xe2\x80\xa2    Reviewing initial results from Office of Personnel Management (OPM)\n         investigations prior to granting interim clearances permitting\n         individuals unescorted access to Commission facilities.\n    \xe2\x80\xa2    Conducting background investigations on existing contractors,\n         employees and others (e.g. temporary employees, student interns) that\n         have worked at the Commission less than 15 years and do not have the\n         minimum required type of investigation.\n    \xe2\x80\xa2    Reporting reliable data to the Office of Management and Budget (OMB)\n         regarding the Commission\xe2\x80\x99s progress in implementing HSPD 12.\nOur report includes specific recommendations of the immediate actions that\nthe Commission should take to correct the deficiencies we identified, and to\nnotify OMB of the deficiencies, as appropriate.\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                                Page 4\n\n\nLastly, we identified a matter related to the Commission\xe2\x80\x99s issuance of HSPD\n12 compliant identity cards that we believe warrants quick resolution by\nCommission management.\nMany of our findings and recommendations were discussed with Commission\nmanagement during the course of our review. In some instances, actions are\nalready being taken to address the deficiencies. As a result, some of our\nrecommendations refer to work in progress, while others refer to tasks that\nstill need to be addressed.\nThe Office of Human Resources concurred with all recommendations in the\nreport. Their formal written response is included as Appendix 1.\n\n\n                      OBJECTIVES AND SCOPE\nWe initiated an inspection of the Program based on complaints from\nCommission officials regarding significant delays associated with the\nprocessing of background investigations for employees and contractors. Our\noriginal objectives were to determine if the Office of Human Resources (OHR)\n(1) promptly initiated investigations for contractors and staff, (2) initiated the\nappropriate type of investigation, and (3) maintained adequate systems for\ntracking the progress of investigations and OPM results.\nThe scope of our review, however, was limited by OHR\xe2\x80\x99s delays and inability\nto produce operational data, lack of reliable information systems or other\nmethods to track workflow data, inadequate internal policies and procedures,\nand departure of key personnel associated with the Program during the\ncourse of our review. Consequently, our review and report focus on\nsignificant organizational issues affecting the overall efficiency and\neffectiveness of the Program that we believe warrant quick management\naction. We plan to do a follow-up review of this Program in the near future.\nWe interviewed applicable Commission staff in the Office of Information\nTechnology (OIT), OHR, and Office of Administrative Services (OAS), as well\nas officials from OPM; reviewed applicable internal operating procedures,\nrelevant Federal requirements and regulations, and OPM guidance; reviewed\navailable OHR operational data for the Program; and reviewed available\ndocumentation for a judgmental sample of interim clearances granted under\na newly implemented pilot program. We focused on operational processes\nduring Fiscal Year 2007. We did not review the Office of Physical Security\xe2\x80\x99s\ncompliance with applicable requirements for issuing new identity credentials\nto employees and contractors under Federal Information Processing\nStandards (FIPS) Publication 201-1 or OIT\xe2\x80\x99s procedures for granting these\nindividuals access to Commission information systems.\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                                Page 5\n\n\nFieldwork was performed from October 2007 to February 2008 in accordance\nwith Quality Standards for Inspections, January 2005 edition, issued by the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency and the Executive Council on\nIntegrity and Efficiency.\n\n                                   BACKGROUND\nThe Commission is required to initiate background investigations (if a\nsatisfactory investigation is not already on file), evaluate results, and issue\nidentity credentials to its employees, contractors and other applicable\nindividuals (e.g., temporary employees, student interns) who require long-\nterm access to Commission controlled facilities and/or information systems.\nThe Commission also requires that employees and contractors undergo a\ncredit check.\nThe Office of Human Resources\xe2\x80\x99 Personnel Security/Suitability Branch (PSB)\nadministers the background investigation process and makes decisions\nregarding an individual\xe2\x80\x99s suitability for employment. PSB is responsible for\ndetermining the type of background investigation that should be conducted,\narranging completion of investigations by OPM, reviewing and evaluating\ninvestigation results, maintaining personnel security files, and issuing\nguidance regarding the Program. OPM (or an OPM contractor) is responsible\nfor performing the background investigation.\nOIT, in conjunction with OHR, developed operating procedures for the\npersonnel security program in July 2006 (OP 24-04.03.02.01- Background\nInvestigations). These operating procedures are issued pursuant to\napplicable Federal regulations (Title 5, Code of Federal Regulations, Part 731\nand 736, Executive Order 10450, Security Requirements for Government\nEmployment, Homeland Security Presidential Directive 12, Policy for a\nCommon Identification Standard for Federal Employees and Contractors\n(HSPD 12), FIPS 201-1 and various OPM guidance).\nHSPD 12, issued by President Bush on August 27, 2004, cited the wide\nvariations in the quality and security of the forms of identification used to\ngain access to federal and other facilities, and called for the development of a\nmandatory standard for secure and reliable forms of identification to be used\nthroughout the Federal government. The directive identified the\ngovernment\xe2\x80\x99s requirements for a common government-wide identification\nsystem that would enhance security, increase government efficiency, reduce\nidentity fraud, and protect personal privacy. FIPS 201-1, approved by the\nDepartment of Commerce on February 25, 2005, established a government-\nwide personal identity verification (PIV) system. The system is based on the\nuse of smart cards, which will be issued by all Federal government\ndepartments and agencies to their employees and contractors who require\naccess to federal facilities and information.\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                                      Page 6\n\n\nFIPS 201 was issued in two parts to allow for a smooth migration to a secure,\nreliable personal identification process. Part 1 of FIPS 201-1 (PIV 1)\ndescribes the minimum requirements for a Federal personal identification\nsystem, including the process to prove an individual\xe2\x80\x99s identity. Agencies may\nissue credentials only to applicants whose identity has been established and\nwho have had a background investigation. Applicants for credentials must at\na minimum be examined through an OPM background investigation process,\nthe National Agency Check with Written Inquiries (NACI), 1 to establish\nassurance of identity. The initial phase of the NACI, an FBI National\nCriminal History Fingerprint Check, must be completed before an initial\nidentity card is issued. When the full NACI is completed, the agency reviews\nthe results and takes appropriate action if negative results are received. By\nOctober 27, 2005, agencies were required to have procedures in place for\nverifying employees\xe2\x80\x99 identities to meet the requirements of PIV I.\nAccordingly, an agency may continue to issue its current employee\nidentification; however, the controls and procedures surrounding the issuance\nof official government identification must be in compliance with PIV I. FIPS\n201-1 created a number of new security criteria, and included for the first\ntime, requirements for certain previously exempt contractors to be subject to\nthe background investigation clearance process.\n\nPart 2 of FIPS 201-1 (PIV II) describes the minimum requirements of an\nidentification card that allows use of smart cards by Federal departments\nand agencies and was required to be implemented by agencies starting in\nOctober 2006.\n\nThe OIG has reviewed the Commission\xe2\x80\x99s background investigation processes\nfor employees and contractors in prior audits (Audit Nos. 339 and 340 issued\nAugust 13, 2001) and found that significant improvements were needed in\nthis area.\n\n\n                           INSPECTION RESULTS\nOur inspection found that the Program requires significant improvement in\nseveral areas, including (1) development of detailed operating procedures, (2)\ncreation of an effective case management tracking system, (3) evaluation and\nrestructuring of staff resources, (4) adequate workspace and storage of\npersonnel security files, and (5) compliance with various aspects of HSPD 12\nand FIPS 201-1. It is imperative that OHR take prompt action to remedy\nthese deficiencies to ensure the effective and efficient operation of the\n\n1\n  The National Agency Checks are the Security/Suitability Investigations Index (SII), Defense Clearance and\nInvestigation Index (DCII), FBI Name Check, and FBI National Criminal History Check. The National Agency\nCheck with Written Inquiries includes all of the National Agency Checks plus searches of records covering specific\nareas of an individual\xe2\x80\x99s background during the past five years.\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                              MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                                Page 7\n\n\nProgram. Delays in processing background investigations and the lack of\nadherence to relevant Federal requirements negatively impact the\nrecruitment of staff and other temporary personnel, efficient use of\ncontractors, and security of federally controlled facilities and Commission\ninformation systems.\n\nORGANIZATIONAL ISSUES\n\nInadequate Operating Procedures\n\nOur inspection found that the Commission lacks comprehensive operating\nprocedures for initiating, evaluating, and documenting background\ninvestigations for employees and contractors. The current operating\nprocedures (OP 24-04.03.02.01-Background Investigations) consist primarily\nof a list of steps associated with the background investigation process (e.g., a\ndetermination of the appropriate security paperwork, receipt of OPM results\nand evaluation of any issues, final determination of an individual\xe2\x80\x99s\nsuitability 2 for employment) and a list of relevant guidance.\n\nThe operating procedures do not clarify, define, and establish specific\npersonnel security processes regarding making a determination of position\nsensitivity 3 , determining the minimum background investigation for different\nposition sensitivity levels, making preliminary and final suitability\ndeterminations, reviewing and adjudicating OPM investigation results, and\nadhering to due process procedures for unfavorable suitability\ndeterminations.\n\nWe believe the procedures at a minimum should (1) provide detailed\ninformation regarding each step in the background investigation process; (2)\nreference applicable guidance (e.g., OPM guidance, Federal requirements and\nregulations) and state what processes will be employed to ensure adherence\nto the guidance; (3) include target milestones for completion of various\nprocesses; (4) state what documentation will be maintained to support\ndecisions made; and (5) incorporate management review of significant\ndecisions as deemed appropriate.\n\nDeveloping comprehensive operating procedures will help ensure that\npersonnel security activities are carried out consistently; in accordance with\napplicable Federal requirements, regulations and OPM guidance; and in a\ncost effective manner. For example, we found that PSB often requests that\n\n\n2\n  General fitness or eligibility for Federal employment.\n3\n  The degree of risk and level of relative importance assigned to a specific position.\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                                Page 8\n\n\nOPM perform a minimum background investigation (MBI) 4 for contractors\nalthough FIPS 201-1 only requires a NACI or equivalent. A standard MBI\ncost approximately $450 more than the basic NACI and takes longer to\ncomplete. Based on the estimated 416 existing contractors as of December\n2007 that require a background investigation (per OHR\xe2\x80\x99s reported numbers\nto OMB), changing the type of investigation required could result in potential\ncost savings. A PSB staff member stated that she usually requests an MBI\nbecause it is a more thorough investigation, consisting of in-person\ninterviews, rather than just written inquiries and many contractors have\naccess to IT systems. While this rationale has merit, OHR as a whole needs\nto develop a process/criteria it will use to determine when to request an MBI\ninstead of a NACI for contractors.\n\nThe Center for Organizational Excellence, a consultant hired by OHR to\nreview OHR workflow processes, reported in May 2007 that a lack of\ndocumented, understood, and defensible personal security workflow processes\nwas a root cause for problems associated with staff acquisition at the\nCommission. There is no evidence that management responsible for direct\noversight of PSB have taken action to develop new operating procedures to\naddress this issue.\n\nRecommendation A\n\nWe recommend that OHR develop detailed operating procedures (or a\npersonnel security/suitability handbook that is maintained internally) for the\nProgram and circulate these procedures for clearance by June 30, 2008.\n\nLack of an Effective Case Management Tracking System\n\nPSB does not have an effective information system to manage its workload of\nbackground investigation cases. Prior to implementation of the interim\nclearance process, PSB recorded background investigation data on various\nExcel spreadsheets. Two spreadsheets were used to record background\ninvestigation data for contractors and employees that was useful to PSB\ninternally (such as a social security number, position sensitivity level, type of\ninvestigation, date paperwork sent to OPM, date investigation initiated and\ncompleted, contractor name and position description information.)\n\nOther spreadsheets were used to report data to other offices within the\nCommission. This included a spreadsheet accessible to human resource\nspecialists to track the status of the security paperwork for prospective\n\n4\n  This investigation requires a NACI, a credit record search, a face-to-face personal interview between the\ninvestigator and the subject, and telephone inquiries to selected employers.\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                                Page 9\n\n\nemployees. Also, PSB developed a spreadsheet to track similar information\nfor summer interns. Our review has identified the following concerns with\nthe tracking system based on discussions with a PSB staff member and our\nreview of available data:\n\n\xe2\x80\xa2        OHR is not able to provide outside parties timely access to information\n         in the tracking system. Although the OIG made numerous requests\n         over a period of a couple of months and offered to assist in accessing\n         the data, OHR was not able to provide the data in a timely manner.\n         Additionally, although PSB represented that it had two tracking\n         spreadsheets (one for contractors and one for employees) to track\n         internal workload data, OHR was unable to provide access to the\n         tracking spreadsheet for regular employees.\n\n\xe2\x80\xa2        The tracking spreadsheets were maintained and updated by one of the\n         PSB staff members, but were not readily accessible to other staff.\n\n\xe2\x80\xa2        Data in the spreadsheets had not always been updated and maintained\n         and one of the spreadsheets reviewed appeared to have missing data.\n\n\xe2\x80\xa2        The spreadsheets did not adequately track all workflow processes\n         within PSB (e.g., when PSB was notified of a prospective employee or\n         contractor, date of initial and follow-up contact with an individual\n         regarding security paperwork or receipt of security paperwork.)\n\n\xe2\x80\xa2        There was no tracking spreadsheet to provide data to applicable\n         parties regarding the status of background investigation for\n         contractors, although there was one for employees.\n\nDuring the course of our review, OHR introduced another spreadsheet to\ntrack background investigation data related to a pilot interim clearance\nprocess. While we believe this spreadsheet more effectively tracks workflow\ndata regarding front-end processes performed by PSB (prior to initiation of a\nbackground investigation), the spreadsheet lacked other information\nregarding the type of investigation initiated, receipt and review of OPM\ninvestigation results, (such as the advance fingerprint report, advance\nnational agency check report, and final OPM results) and resolution of any\nissues found from OPM\xe2\x80\x99s investigation. Additionally, per discussion with a\nPSB staff member, the new spreadsheet does not contain some data from the\nold tracking spreadsheets that was useful to manage the Program from an\ninternal perspective.\n\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 10\n\n\nRecommendation B\n\nWe recommend that OHR develop (with the assistance of OIT) or acquire a\ncase management tracking system with the capability to track and document\ninternal workflow processes, produce reports useful for managing the\nprogram, and report data to outside parties as necessary. OHR should\nspecifically dedicate resources to this effort.\n\nInsufficient Resources to Accommodate the Workload\n\nOHR needs to evaluate and restructure staff resources to better accommodate\nthe background investigation workload. As of January 2008, PSB was staffed\nwith two permanent employees (an experienced staff person and one junior\nstaff person). The junior staff person resigned from the Commission in\nJanuary 2008 and a replacement from within the Commission was identified.\nThe two permanent employees reported to a Branch Chief who managed\nother personnel functions. However, the Branch Chief retired in February\n2008 and that position is now vacant. In addition, the Associate Director that\nthis Branch Chief reported to also left the Commission in February 2008. In\nthe past, PSB has also utilized the resources of temporary, contractor, and\nadministrative staff to help meet its workload demands.\n\nWe found that only one of the two personnel security specialists is actually\ntrained to perform all personnel security functions including such tasks as\nevaluating OPM background investigation results. This individual also trains\nany new permanent or temporary personnel assigned to the branch. While\nstaff resources within PSB have not increased, the workload of PSB has\nincreased substantially in recent years due to increases in the size of the\nCommission and new requirements such as HSPD12, which requires all new\ncontractors to be subject to background investigations as well as existing\nemployees and contractors without the minimum required background\ninvestigation.\n\nAdmittedly, PSB has focused its limited resources on meeting the demands\nfor new clearance requests (i.e., getting the security paperwork together and\nto OPM for the investigation to be initiated). Consequently, not enough time\nis being devoted to other PSB essential functions such as receipt and timely\nreview of investigation results, maintaining an updated tracking system,\ncommunicating changes in operating procedures to customers within the\nCommission, reviewing reassignments within the Commission to determine if\na individual requires a new investigation, initiating reinvestigations when\nrequired, ensuring that applicable requirements (such as HSPD12) are met,\nand attending training on current developments in the personnel\nsecurity/suitability area.\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 11\n\n\nRecommendation C\n\nOHR should evaluate and restructure staff resources assigned to PSB to\nensure that all essential functions are performed in an effective and timely\nmanner. OHR should also recruit additional skilled staff and ensure that all\nstaff are adequately trained to perform their jobs successfully. Further, OHR\nshould consider recruiting additional temporary staff to assist with the\nbacklog of background investigations.\n\nInadequate Workspace and Improper Storage of Files\n\nWe performed a walkthrough of PSB\xe2\x80\x99s office space including storage and\nfiling capacity. We found that PSB does not have a secured central\nlocation/file room for personnel security files and that personnel security files\nand security paperwork were contained in numerous locations including\nvarious file cabinets that cannot be locked, open cubicles, and a personnel\nspecialist\xe2\x80\x99s office. Additionally, we found PSB\xe2\x80\x99s workspace in general to be\nunsuitable for the type of work they perform (e.g., reviewing and discussing\npersonnel security information and meeting with employees and contractors\nregarding their security paperwork.) The workspace is centrally located\nwithin OHR, consists of one office and some cubicles and is physically\naccessible to all contractors and employees that have access to the building.\n\nRecommendation D\n\nOHR should obtain secure storage for personnel security files and a\nworkspace conducive for personnel security type work.\n\nIneffective Use of an E-Gov Initiative \xe2\x80\x93 e-QIP\n\nWe found that PSB is not effectively utilizing the Electronic Questionnaires\nfor Investigations Processing system (e-QIP). The secure web-based system\nis part of an e-government initiative sponsored by OPM and was made\navailable for agency use in 2004. E-QIP allows applicants to electronically\nenter, update, and transmit their personal investigative data over a secure\nInternet connection to their employing agency for review and approval. The\ndata can then be reviewed and transmitted by agencies to OPM for timely\ninitiation of a background investigation. The Commission received training\non e-QIP in September 2007 and began implementation shortly thereafter.\n\nWe found that although PSB required that applicants utilize the system to\ncomplete, certify, and release their security questionnaire form to PSB (e.g.,\nSF85P), PSB was not always electronically uploading and submitting the e-\nQIP signature form (a form manually signed by the applicant to certify that\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 12\n\n\nthe applicants answers on the security questionnaire and related documents\nare true, complete, and accurate) to OPM. PSB was also not electronically\nuploading to e-QIP other documents that are typically included in the\nsecurity package sent to OPM such as the credit release form, optional form\n306, and resume. PSB would submit the aforementioned documents along\nwith the paper fingerprint card to OPM via Fed Ex, or other mechanism.\n\nPer discussions with an OPM official, the Commission is in violation of its\nmemorandum of understanding with OPM regarding the use of e-QIP by not\nuploading and electronically transmitting security packages (with the\nexception of the paper fingerprint cards) to OPM. Additionally, the\nCommission is not effectively utilizing this e-government initiative to help\nspeed up investigation processing. It should also be noted that once the\nCommission begins its new credentialing system (issuance of smart cards),\nfingerprinting will be done electronically, therefore, eliminating the need to\nsubmit paper copies of any security paperwork (assuming e-QIP is properly\nutilized), which will reduce costs.\n\n\nRecommendation E\n\nOHR should ensure that all personnel security specialists are properly\ntrained in the use of e-QIP and are effectively utilizing e-QIP by uploading\nand transmitting all security documents (with the exception of paper\nfingerprint cards) to OPM.\n\n\nPilot Interim Clearance Process Not in Compliance with HSPD-12\n\nWe found that the Commission had not complied with key requirements of\nHSPD 12 and FIPS 201-1 regarding (1) initiation of background\ninvestigations by OPM and receipt of an acceptable FBI fingerprint check\nprior to granting employees and contractors unescorted access to Commission\nfacilities, (2) compliance with key milestone requirements regarding\ncompletion and/or verification of minimum background investigations for\nexisting employees and contractors that have been with the Commission 15\nyears or less, and (3) reporting of key milestone data to OMB regarding\nbackground investigations for Commission contractors. As a result, the\nCommission has violated Federal requirements and should take immediate\ncorrective action including notifying appropriate parties (such as OMB) of the\nviolations, as applicable.\n\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 13\n\n\nPilot Interim Clearance Process\nFIPS 201-1 requires that agencies initiate a NACI or other appropriate type\nof investigation prior to initial credential issuance for new employees,\ncontractors, and other applicable individuals. Agencies are prohibited from\nreinvestigating individuals transferring from another department or agency\nprovided certain criteria are met. FIPS 201-1 states that at a minimum, the\nFBI National Criminal History Check (fingerprint check) shall be completed\nbefore initial credential issuance. FIPS 201-1 further requires that identity\ncredentials issued to individuals without a completed NACI or equivalent\nmust be electronically distinguishable from identity credentials issued to\nindividuals with a completed investigation.\nIn October 2007, OHR began a 90-day pilot interim clearance process. This\nprocess was put into place due to complaints by Commission officials of\nsignificant delays with clearances. Under the new process, OHR granted\ninterim clearances based upon a review of an individual\xe2\x80\x99s relevant\nbackground investigation documents prior to their submission to OPM for\ncompletion of the full background investigation. The targeted time period to\nissue an interim clearance was five days. The interim clearance was to\nremain in effect until the full background investigation was completed by\nOPM and PSB had reviewed and evaluated any issues. New employees were\ninformed that their continued employment status was contingent upon a\nsatisfactory background investigation. An interim clearance permitted\ncontractors and new employees to begin work with the Commission, get an\nidentification badge and gain unescorted access to Commission facilities\nwhile the full background investigation was ongoing.\nThe OIG picked a judgmental sample of 15 out of approximately 87\nindividuals (12 contractors and 3 employees) that received interim clearances\nunder the 90-day pilot program as of January 14, 2008. We then obtained\nand reviewed the relevant PSB files 5 to ensure the process complied with\napplicable HSPD 12 guidance. We identified the following issues/concerns:\n         \xe2\x80\xa2   OHR had only recently begun to provide interim clearances\n             although Federal guidelines had given agencies this ability since\n             October 2005.\n         \xe2\x80\xa2   Ten individuals were cleared by PSB to receive identification\n             badges (an email was sent to the Office of Physical Security that\n             the individual was cleared for an ID) although OPM had not yet\n             initiated their background investigations and the FBI fingerprint\n             results had not been obtained and reviewed. This process is in\n             direct violation of FIP 201-1 and the Commission\xe2\x80\x99s own operating\n             procedures for background investigations. For one of the ten\n\n5\n  PSB was unable to readily locate the personnel security files for two of the individuals in our sample.\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 14\n\n\n             individuals, OPM notified the Commission that it found the\n             individual\xe2\x80\x99s security paperwork unacceptable after the individual\n             was cleared and received their badge. Additionally, although notice\n             of the unacceptable paperwork was received from OPM in\n             November 2007, there was no documentation in the file that PSB\n             had followed up as of February 2008 to determine why the\n             paperwork was unacceptable. It should also be noted that FBI\n             fingerprint results subsequently received for two of the ten\n             individuals in the sample were positive (indicating that an FBI\n             record was found). Notes in PSB\xe2\x80\x99s personnel security files indicate\n             the records were reviewed and found to be \xe2\x80\x9cok\xe2\x80\x9d.\n         \xe2\x80\xa2   PSB files for two individuals showed that OPM found and reported\n             to PSB in November 2007 issues related to the individuals\xe2\x80\x99 credit.\n             As of February 2008, PSB\xe2\x80\x99s files contained notations showing that\n             these issues still needed to be followed up on.\n         \xe2\x80\xa2   One individual in our sample was cleared for an interim clearance;\n             however, PSB could not provide proof that they notified the Office\n             of Physical Security that the individual was cleared for a badge.\n             The Office of Physical Security also did not have any record of an\n             email from PSB. Additionally, we found that PSB does not routinely\n             notify the Contractor Officer Technical Representative (COTR) or\n             an Administrative Officer when a contractor is cleared for an ID\n             (simultaneous with their notification to the Office of Physical\n             Security). As a result, a contractor may be awaiting an ID and\n             would not be aware they have been cleared for one.\n         \xe2\x80\xa2   PSB did not distinguish between an interim and final clearance\n             when they notified the Office of Physical Security via email that\n             individuals in our sample were cleared for an ID. This distinction\n             will become particularly important once the Commission starts to\n             issue the new HSPD 12 smart card badges. FIPS 201-1, Part 2,\n             requires that identity credentials issued to individuals without a\n             completed NACI, or equivalent must be electronically\n             distinguishable from identity credentials issued to individuals with\n             a completed investigation.\n\nRecommendation F\n\nPSB should revise its current procedures to ensure: (1) interim clearances are\ngranted after an OPM investigation is initiated and the FBI fingerprint\nresults are received, reviewed, and determined to be acceptable; (2) all OPM\ninvestigation results (preliminary and final) are promptly reviewed, issues\ntimely resolved, and appropriate action taken to revoke interim clearances,\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 15\n\n\nas appropriate; and (3) the Office of Physical Security is promptly notified of\nall interim clearances, the notification states that an identification badge\nshould be issued based on an interim clearance, and the applicable COTR\nand/or Administrative contact is copied.\n\nImplementation Plan\nHSPD 12 implementation instructions published by OMB in August 2005\n(OMB Memorandum 05-24) required that agencies develop a plan and begin\nthe required background investigations, a NACI or equivalent, for all current\nemployees, contractors, and other applicable individuals who do not have an\ninitiated or completed investigation on record. This effort was required to be\nstarted by October 27, 2005.\nFor current contractors and employees who have been with the Commission\nfor less than 15 years, the requirement was to be completed by October 27,\n2007. For employees who have been with the Commission over 15 years, a\nnew investigation may be delayed, commensurate with risk, but must be\ncompleted no later than October 27, 2008.\nWe found that the Office of Human Resources does not have a formal plan of\nhow it intends to meet this requirement. Additionally, due to limited\nresources, OHR has not focused its efforts on meeting this requirement.\nConsequently, the Commission has no way of knowing where it stands with\nregard to meeting the required deadlines. The Commission reported to OMB\nin December 2007 (as part of its required quarterly HSPD-12 reporting\nrequirements) that 1,016 contractors and employees still need a NACI or\nequivalent background investigation.\n\nUntil OHR identifies what existing employees and contractors still need a\nNACI and takes action to get the required investigations completed, the\nOffice of Physical Security will not be able to issue new identity credentials\n(smart cards) to these individuals by the October 27, 2008 credentialing\ndeadline established by OMB Memorandum 07-06, issued January 11, 2007.\n\nRecommendation G\n\nOHR should develop milestones and a methodology for completing the\nminimum required background investigations for existing contractors and\nemployees and devote appropriate resources to the effort. OHR should also\ncommunicate those milestones to the Office of Physical Security.\n\n\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 16\n\n\nOMB Reporting\nWe found that PSB could not readily provide support for HSPD 12\nbackground investigation data reported by the Commission. In January\n2007, in an effort to monitor agencies implementation of HSPD-12, OMB\nissued memoranda requiring agencies to post to their Federal agency public\nwebsite certain data related to the status of background investigations for\ncurrent employees and contractors.\nThis information was collected from OHR by OIT and publicly posted on the\nCommission\xe2\x80\x99s website along with other HSPD 12 data. For the last three\nquarters, the Commission reported the following background investigation\ndata.\n           Table 1. Background Investigations Reported\n            Total Number of              Total number of             Reporting date\n            Employees Requiring          contractors requiring\n            a NACI (or at least          a NACI\n            equivalent) that have\n            not previously\n            undergone a\n            background\n            investigation\n            950                          457                         June 2007\n            610                          502                         September 2007\n            610                          416                         December 2007\n\n\n\nThe OIG inquired about the source of the data and was informed that the\nemployee data was determined by taking a list of employees, providing the\nemployee data to OPM to see if they have record of a background\ninvestigation, and then manually going through employee\xe2\x80\x99s Official Personnel\nFiles (OPF) to see if there is record of an investigation. The process of going\nthrough the OPFs has been an ongoing effort since 2006, whenever OHR has\nhad additional resources to utilize for this task. Currently, an OIT contractor\nis performing this work. With regard to the contractor data, OHR was not\nable to definitively identify how the numbers were derived and indicated that\nthe contractor data is more of a problem than the employee data as the\nCommission does not have a centralized database of all contractors.\nFurther, in October 2007, OMB provided updated HSPD 12 reporting\nrequirements for the quarterly reporting period beginning December 1, 2007.\nOMB now requires that agencies report how many background investigations\nare in progress and have been completed in addition to how many employees,\ncontractors, and others (e.g., non-paid students) need the minimum\nbackground investigation. The Commission did not provide the additional\ninformation in its December 1, 2007 report to OMB and it is questionable\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 17\n\n\nwhether accurate data exists to be able to provide this information. Without\nreliable data, the Commission cannot assess the status of their compliance\nwith HSPD-12 requirements and will not be able to successfully implement\nPart 2 of FIPS 201-1 (issuance of new identity credentials to all existing and\nnew employees and contractors).\n\n\nRecommendation H\n\nOHR should notify OMB of any reported data that cannot be supported and\ndevelop a methodology and system to capture the required HSPD 12 data for\nquarterly reporting to OMB.\n\n\nOTHER MATTERS\nThe following matter, while outside the scope of our review, came to our\nattention during the course of the inspection and requires OHR\xe2\x80\x99s urgent\nmanagement attention to ensure the Commission\xe2\x80\x99s successful\nimplementation of HSPD 12.\nOMB Memorandum 07-06 requires that new identity cards replace the\nstandard employee flash-card badges by October 27, 2008. The credentials\nwhich include biometric information such as fingerprints will provide a\ncommon identification standard to allow employees and contractors to access\nfederal buildings and computer networks.\nIn order for agencies to begin issuing the new credentials, they must develop\nand document a new credentialing system. FIPS 201, Part 2 suggests a role-\nbased model. The role-based model assigns identity-proofing responsibilities\nto individuals, based on the roles and functions they perform. This requires\nthe Commission to assign roles to various individuals and implement\ntraining for these roles. The system provides safeguards to ensure that the\nsame person cannot authorize and issue an identity card.\nPer discussion with OIT staff members, OHR was asked by OIT to designate\nindividuals (as well as backups) to fill an adjudicator 6 and sponsor role. The\nadjudicator would certify that an individual\xe2\x80\x99s FBI fingerprint check results\nhave been returned so that an interim badge can be issued, as well as later\ncertifying that a NACI or better has been completed, so that an interim badge\ncan be electronically tagged properly as finalized. For existing hires with a\nNACI or better on file, a final badge could be issued. Persons designated to\nfill the adjudicator role must meet minimum standards, including being able\nto evaluate whether a PIV application is satisfactory and apply specific\n6\n  An individual that reviews the OPM background investigation results and makes a favorable or unfavorable\nplacement determination based on relevant guidance.\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 18\n\n\nprocesses to an unsatisfactory application, have training on agency processes\nand procedures for adjudicating an unsatisfactory PIV application, and have\nsuccessfully completed a training module on the roles and responsibilities of\nthe position.\nThe sponsor would prevent a single person from authorizing issuance of an\nidentity credential. Both the sponsor and adjudicator must agree that an\nindividual should be issued a card. For new hires, the sponsor must key in\nname, social security number, an email address, and citizenship information\nto start the issuance process, then the adjudicator must validate that\nacceptable background investigation results have been obtained.\nAs of February 2008, OHR had designated two individuals to perform the\nadjudication role, however, one of those individuals has since resigned and\nthe other individual had not yet taken the required computer based training.\nAdditionally, no sponsors had been designated by OHR. Without the\nrequired designations, the Commission cannot begin to issue new credentials,\nwhich greatly increases the likelihood that it will not be able to meet the\nrequired October 2008 deadline to have smart card credentials in place.\nWe are concerned that OHR is not providing the support necessary to ensure\nthe Commission\xe2\x80\x99s success in implementing the new HSPD credentialing\nsystem and may not have other required systems in place to successfully\nfulfill its roles and responsibilities under FIPS 201-1, Part 2.\n\n\nRecommendation I\nOHR should review the new credentialing system requirements and\ncoordinate with OIT and the Office of Physical Security to ensure that it is\nfulfilling its required roles and responsibilities and has appropriate systems\nand procedures in place to capture, share, and store required data in\naccordance with FIPS 201-1, Part 2.\n\n\n\nDISCUSSION OF MANAGEMENT COMMENTS\nThe Office of Human Resources concurred with all recommendations in the\nreport. Their formal written response is included as Appendix 1.\n\n\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 19\n\n\n                                                                                          APPENDIX 1\n\n                            MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                          Page 20\n\n\n                        APPENDIX 1\n\nMANAGEMENT\xe2\x80\x99S COMMENTS\n\x0c                                                                                               Page 21\n\n\n                                                                                          APPENDIX 1\n                                MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 22\n\n\n                                                                                          APPENDIX 2\n\n                         LIST OF RECOMMENDATIONS\n\nRecommendation A\n\nWe recommend that OHR develop detailed operating procedures (or a\npersonnel security/suitability handbook that is maintained internally) for the\nProgram and circulate these procedures for clearance by June 30, 2008.\n\nRecommendation B\n\nWe recommend that OHR develop (with the assistance of OIT) or acquire a\ncase management tracking system with the capability to track and document\ninternal workflow processes, produce reports useful for managing the\nprogram, and report data to outside parties as necessary. OHR should\nspecifically dedicate resources to this effort.\n\nRecommendation C\n\nOHR should evaluate and restructure staff resources assigned to PSB to\nensure that all essential functions are performed in an effective and timely\nmanner. OHR should also recruit additional skilled staff and ensure that all\nstaff are adequately trained to perform their jobs successfully. Further, OHR\nshould consider recruiting additional temporary staff to assist with the\nbacklog of background investigations.\n\nRecommendation D\n\nOHR should obtain secure storage for personnel security files and a\nworkspace conducive for personnel security type work.\n\nRecommendation E\n\nOHR should ensure that all personnel security specialists are properly\ntrained in the use of e-QIP and are effectively utilizing e-QIP by uploading\nand transmitting all security documents (with the exception of paper\nfingerprint cards) to OPM.\n\n\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c                                                                                               Page 23\n\n\nRecommendation F\n\nPSB should revise its current procedures to ensure: (1) interim clearances are\ngranted after an OPM investigation is initiated and the FBI fingerprint\nresults are received, reviewed, and determined to be acceptable; (2) all OPM\ninvestigation results (preliminary and final) are promptly reviewed, issues\ntimely resolved, and appropriate action taken to revoke interim clearances,\nas appropriate; and (3) the Office of Physical Security is promptly notified of\nall interim clearances, the notification states that an identification badge\nshould be issued based on an interim clearance, and the applicable COTR\nand/or Administrative contact is copied.\n\nRecommendation G\n\nOHR should develop milestones and a methodology for completing the\nminimum required background investigations for existing contractors and\nemployees and devote appropriate resources to the effort. OHR should also\ncommunicate those milestones to the Office of Physical Security.\n\nRecommendation H\n\nOHR should notify OMB of any reported data that cannot be supported and\ndevelop a methodology and system to capture the required HSPD 12 data for\nquarterly reporting to OMB.\n\n\nRecommendation I\nOHR should review the new credentialing system requirements and\ncoordinate with OIT and the Office of Physical Security to ensure that it is\nfulfilling its required roles and responsibilities and has appropriate systems\nand procedures in place to capture, share, and store required data in\naccordance with FIPS 201-1, Part 2.\n\n\n\n\n____________________________________________________________________________________________________________\nINSPECTION OF BACKGROUND INVESTIGATIONS                                          MARCH 28, 2008\nINSPECTION 434\n\x0c'